Setting up Lifecycle Insights for Microsoft 365 Data Integration

 

This document outlines the set up for Microsoft 365 Delegated Administration.  This would apply to Microsoft Cloud Partners certified for delegated administration.   It allows you to register an application in Azure Portal once and configure it to pull data from all tenants you have delegated administration rights for.

Total Estimated time: Less than 15 minutes

The purpose of this document is to instruct you how to configure both Microsoft Azure Active Directory and Lifecycle Insights so that data integration can occur between the two platforms.  At this point, Lifecycle Insights pulls Microsoft 365 users with activated products.

This document is broken down into three sections.

  • Microsoft Configuration
    1. We will register an app within Azure Portal
    2. We will obtain the Application ID, Directory ID for later input into Lifecycle Insights
    3. We will generate a Secret Key for later input into Lifecycle Insights
    4. We will set the required permissions for the app
    5. We will add the App Service Principal account to the AdminAgents group
  • Lifecycle Insights Configuration
    1. You will enter the 3 data points collected in first step into Office365 Configuration panel in Lifecycle Insights
    2. You will map Microsoft Tenants to LCI Companies and enable the Integration if appropriate.

 


 

 

Microsoft Azure Portal Configuration

 

Estimated Time: Less than 10 minutes

  1. Log into the portal.azure.com with your admin credentials
  2. Use the top search bar to locate “Azure Active Directory” and click on the icon under Services. 

 


 

 

3. Click Azure Active Directory, then choose App Registrations.

 

4. Click New Registration.

 


 

 

5. Enter information as follows:

  1. Name: Enter any meaningful name – IE. Lifecycle Insights
  2. Supported account types: Choose the second option (Multitenant)
  3. Redirect URI – leave blank

Click Register

 


 

 

6. In the left navigation pane, Click Azure Active Directory, then App registrations, then All Applications.  Finally, click on the name of the application you just added.

 

7. We need the Application ID and the Client ID.  Click the Copy to clipboard icon beside Application ID and Client ID respectively and paste them into a text editor. You will need these later when setting up Lifecycle Insights.


 

 

8. In the second (from left) navigation pane under Manage, click on Certificates & secrets, then click on + New client secret.



9. In the Add client secret dialog, add a Description, change Expires to Max Value desired (IE 24 Months) and click Add.



10. We need the Secret Key.  Click the Copy to clipboard icon beside Secret Value and paste it into a text editor. You will need this later when setting up Lifecycle Insights.  Please do NOT copy the Secret ID!


 

*** Note, once you leave the page, the secret key will no longer be available for copying.  So please be sure to copy it now.

 

11. Click on API permissions under Manage in the left navigation pane.


12. By default, a User.Read permission is already added.  Click on User.Read, and then click Remove permission.  If prompted to confirm, click Yes, Remove.

 


 
 

 

13. Click + Add a permission, then in the Request API permissions page and choose Microsoft Graph

 

14. Click on Application Permissions ** Do NOT choose on Delegated Permissions

  1. Expand Directory and choose Directory.Read.All
  2. Expand Reports and choose Reports.Read.All
  3. Expand User and choose User.Read.All
  4. Click Add permissions

 

 

 

15. Finally, in the API Permissions main screen, click on Grant admin consent for <<company name>>.  Click Yes when it asks you for confirmation.  ** Note - The Grant Admin Consent button may be above the permissions table.


**** If the Grant Admin Consent button is not on this page as shown above, then please perform the following:

Click on the application you just registered for Lifecycle Insights, then in the left Nav Pane click on Permissions under Security.  In the Permissions section, click Grant Admin Consent for <<company name>>.


 

 

At this point, the App is registered.  We now must add the Service Principal account associated with this app to the Admin Agents group.  This will provide consent to the app to perform the API lookups on each Microsoft tenant that you have delegated Admin rights to.

16. In the top search bar in Azure Portal, search for and select Groups

 

  1. Once in the Groups page, find and select AdminAgents.
  2. Once in AdminAgents group view, click on Members.

 

  1. Click + Add Members near the top.  When you click Add Members, a search bar will appear.  Copy and paste the Application (Client) ID you noted earlier.  When you do this, you will see the name of the app you registered earlier.  Click on that name, and then click Select.

 

You should now see the Service Principal Account added to the AdminAgents group!


UPDATE 2021.09.02

On August 30th, 2021 Microsoft introduced a subtle change to their default settings related to privacy.  Specifically, they have introduced a setting by default that will de-identify user data in their Usage Reports.   Meaning, instead of sending legitimate emails and names, they are sending a random string of data.


Microsoft has published an article regarding this topic.  To ensure the MS365 Integration returns real user information, you will need to follow the principles of this article to ensure identifiable information is returned from their API.


https://techcommunity.microsoft.com/t5/microsoft-365-blog/privacy-changes-to-microsoft-365-usage-analytics/ba-p/2694137


At the time when this article is published, the above-referenced article from MS did not contain the correct steps to address this issue.   These steps should work:


1.  Go to MS 365 Admin Center for each tenant

2.  Click on Settings > Org Settings

3.  Click on Reports

4.  Uncheck 'In all reports, display de-identified names for users, groups and sites'


Please note that Microsoft changes interface frequently. Screenshots may reflect different versions.

 

Lifecycle Insights Configuration

 

Estimated time: 5 minutes

Earlier, when configuring Microsoft, you record 3 data points.  Specifically:

  • Application ID
  • Client ID
  • Secret Key

We will need to have access those 3 data points to set up the Office365 Data Integration in Lifecycle Insights.

 

  1. Log into Lifecycle Insights using the username and password you created in the previous section.  The login URL is: https://master.lifecycleinsights.io/signIn .
  2. Once logged in, notice the Left Navigation pane has an Integrations Option. Click on Integrations, then click Microsoft 365 tile as shown below.

 


 

  1. Click on the Delegated API Credentials tab.

 

  1. Next, please fill in the form and click Save Settings
    1. Check Microsoft 365 Integration Active
    2. Enter/paste the Application ID exactly as you recorded it earlier
    3. Enter/paste the Directory ID exactly as you recorded it earlier
    4. Enter/paste the Secret Key exactly as you recorded it earlier

 

 

  1. After you click Save Settings, we will attempt to pull your Microsoft Tenant list.   You should then see a list of your Microsoft tenants in the Delegated Company Match tab.   If you do not see the tenants, you may try to click the Refresh Companies from MS365button.   If there is an error, there is a problem with your app configuration in Azure portal.

 

  1. To enable Microsoft user and product lookups, you must match the Microsoft Company Name to LCI Company Name.  You must also check the Integration Enabled? checkbox.  

 

 

LCI will attempt to sync your Microsoft 365 data nightly.  If you want to perform an on-demand sync click on the Log/Sync tab, and click Initiate Sync Now! button.   The sync should happen within a couple of minutes.  You may refresh the log by click on the Refresh log icon (next to the Initiate Sync Button) to check to ensure sync occurred as you expected.